A Case of Too Much Information: Ransomware Code Shared Publicly for “Educational Purposes”, Used Maliciously Anyway

Researchers, whether independent or from security vendors, have a responsibility to properly disseminate the information they gathered to help the industry as well as users. Even with the best intentions, improper disclosure of sensitive information can lead to complicated and sometimes even troublesome scenarios. But what exactly can be considered “proper” and “responsible” information sharing? How much is “too much information”?

In mid-August 2015, in an attempt to educate people, Turkish security group Otku Sen published an open source code for ransomware dubbed “Hidden Tear” and made it available for everyone at github. Hidden Tear uses AES encryption and can evade common AV platforms because it’s a new malware. Otku Sen also published a short video demonstrating how ransomware worked.

The creator was very specific about not using Hidden Tear as ransomware:

While this may be helpful for some, there are significant risks. Hidden tear may be used only for Educational Purposes. Do not use it as a ransomware! You could go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent.

Unfortunately, anyone on the internet can disregard this warning. This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. Our analysis showed that the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code.

Warnings Aren’t Cops

The website was first compromised from Sept. 15 to Dec. 17. It was compromised once again on December 18. The website redirects users to a fake Adobe Flash download website where they are prompted to download a new Flash Player. Once the download is complete, the file will automatically run.

Figure 1. The infection vector

The modifications found in RANSOM_CRYPTEAR.B include an image with Portuguese text that replaces the user’s desktop background. The ransom note demanding R$ 2,000.00 (US$496. 94 as of Jan. 11) via Bitcoin, is also written in Portuguese. Another point which makes this attack unique is the fact that the generated key is lost within the valid file. The generated decryption key is saved inside a .txt file. Once dropped in the desktop folder, the malware starts encrypting files. Like other crypto-ransomware, this makes it very difficult to recover the files, even after the victim pays the ransom.

Figure 2. RANSOM_CRYPTEAR.B desktop image

Figure 3. RANSOM_CRYPTEAR.B ransom note

Sharing Responsibilities

To prevent or minimize the effects of ransomware, Trend Micro has always encouraged users to regularly back up files and have an up-to-date security solution because paying the ransom isn’t a 100% guarantee that the encrypted files would be decrypted (for more information on ransomware, read our article Ransomware 101: What, How, and Why). However, the more interesting aspect of this incident was the circumstance that allowed the distribution of the ransomware to happen in the first place: the fact that its source code was made available in a public space.

Even with the cautionary statement and the good intentions in mind, releasing information such as this was not a reasonable behavior. Keep in mind that a lot of people in the Deep Web or other forums also use explicit warnings as a way of washing their hands clean. One can even point out that forbidding the use of a certain technology or knowledge makes it even more attractive for cybercriminals and computer enthusiasts in general.

The security industry should be very careful when releasing information that could be used by threat actors. Even if the intentions of security researchers or security vendors are to educate the public, they need to carefully assess the risks prior to the release of possibly harmful information.

“We need to teach our kids physics, but not how to build an atomic bomb. We need to have knives in our kitchens, but not samurai swords,” says Martin Roesler, Trend Micro Senior Director for Research. “We need to share knowledge that creates understanding about potential damage, but not the ability to create it. It’s like medicine and poison—the difference between the both is just the doses. We need to share knowledge about how exploits work but not how to make use of them. We need to share knowledge how malware works, but sharing a sample code is not needed for that.

“For our industry it is, depending on each case, a decision between need to know and not need to know. Just the ‘but I want to know’ or ‘I want to share’ is not relevant. We should always share to a targeted audience, through a targeted medium, what this audience really needs. For example, we should share, via secure channels, with security vendors or vendors that are impacted by an exploit, the necessary information, up to sample level, so that they can protect users from damage. On the other hand, we should share, via public channels, to unrestricted audience, what they need to know to protect themselves. There are different audiences, and each audience should have different channels and different ‘doses’ of information.”